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Abstract: 

This document involves definition of technology interface requirements for Contingency 
Management. This was performed through a review of Contingency Management-related, HSI 
requirements documents, standards, and recommended practices. Technology concepts in use by 
the Contingency Management Work Package were considered. Beginning with HSI high-level 
functional requirements for Contingency Management, and Contingency Management technology 
elements, HSI requirements for the interface to the pilot were identified. Results of the analysis 
describe (1) the information required by the pilot to have knowledge of system failures and 
associated con tingency procedures, and (2) the con trol capability needed by the pilot to obtain 
system status and procedure information. Fundamentally, these requirements provide the 
candidate Contingency Management technology concepts with the necessary human-related 
elements to make them compatible with human capabilities and limitations. The results of the 
analysis describe how Contingency Management operations and functions should interface with 
the pilot to provide the necessary Contingency Management functionality to the UA-pilot system. 
Requirements and guidelines for Contingency Management are partitioned into four categories: 
(1) Health and Status and (2) Contingency Management. Each requirement is stated and is 
supported with a rationale and associated reference(s). 
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Executive Summary 


Access 5 is a NASA-led project tasked to recommend the policies, procedures, 
and functional requirements that will ensure High Altitude Long-Endurance 
(HALE) Unmanned Aircraft Systems (UAS) operate as safely as other routine 
users of the National Airspace System (NAS). Four phases or “STEPS” are 
planned to systematically develop the necessary technology, policies and 
regulations to enable manufacturers to apply for Federal Aviation Administration 
(FAA) certification and approval needed to operate their civil UAS in the NAS. 
Current (FY05) effort limits focus to UASs that operate above 43,000 feet (STEP 
1 ). 

In order for UAS to be integrated into the NAS, it is necessary to identify the 
human systems integration requirements that ensure safe operations in the NAS. 
As a result, the Human System Integration (HSI) Work Package was established 
within the overall Access 5 program to address this objective. In FY05, several 
HSI products were developed to contribute to overall program objectives. 

This product involves definition of technology interface requirements for 
Contingency Management. This was performed through a review of Contingency 
Management-related, HSI requirements documents, standards, and 
recommended practices. Technology concepts in use by the Contingency 
Management WP were assessed also. 

Beginning with HSI high-level functional requirements for Contingency 
Management, and Contingency Management technology elements, HSI 
requirements for the interface to the pilot were identified. Results of the analysis 
describe (1) the information required by the pilot to have knowledge of system 
failures and associated contingency procedures, and (2) the control capability 
needed by the pilot to obtain system status and procedure information. 
Fundamentally, these requirements provide the candidate Contingency 

Management technology concepts with the necessary human-related elements to 
make them compatible with human capabilities and limitations. The results of the 
analysis describe how Contingency Management operations and functions 
should interface with the pilot to provide the necessary Contingency 

Management functionality to the UA-pilot system. 

Requirements and guidelines for Contingency Management are partitioned into 
four categories: (1) Health and Status and (2) Contingency Management. 

Each requirement is stated and is supported with a rationale and associated 
reference(s). 
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ACS 

Aircraft Control Station 

BLOS 

Beyond Line of Sight 

FAA 

Federal Aviation Administration 

FAR 

Federal Aviation Regulation 

FRD 

Functional Requirements Document 

HALE 

High-Altitude, Long Endurance 

LOS 

Line-of-Sight 

UA 

Unmanned Aircraft 
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WP 
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l. Introduction 


1.1. Background 

Access 5 is a NASA-led project tasked to recommend the policies, procedures, 
and functional requirements that will ensure High Altitude Long-Endurance 
(HALE) Unmanned Aircraft Systems (UAS) operate as safely as other routine 
users of the National Airspace System (NAS). Four phases or “STEPS” are 
planned to systematically develop the necessary technology, policies and 
regulations to enable manufacturers to apply for Federal Aviation Administration 
(FAA) certification and approval needed to operate their civil UAS in the NAS. 
Current (FY05) effort limits focus to UASs that operate above 43,000 feet (STEP 
1 ). 

In order for UAS to be integrated into the NAS, it is necessary to identify the 
human systems integration requirements that ensure safe operations in the NAS. 
As a result, the Human System Integration (HSI) Work Package was established 
within the overall Access 5 program to address this objective. 

In FY05, several HSI products were developed to contribute to overall program 
objectives. The FY05 HSI effort followed a standard, HSI process methodology 
that produced the following deliverables (Figure 1): 

Deliverable 1: Human System Integration Step 1 Functional Requirement 
Document (FRD) 

Deliverable 2: Human System Integration (HSI) Step 1 Design Guidelines for the 
Unmanned Aircraft System (UAS) Ground Control Station 

Deliverable 3: High Altitude Long Endurance (HALE) Unmanned Aircraft System 
(UAS) Pilot Rating Criteria (Draft) 

Deliverable 4: HSI Requirements and Guidelines for Experimental Certification of 
the Unmanned Aircraft System 

Deliverable 5: Human Systems Integration Step 1 Pilot-Technology Interface 
Requirements 

Deliverable 5a: Human Systems Integration Step 1 Pilot- 

Technology Interface Requirements for Command, Control, and 
Communications in Unmanned Aircraft Systems 
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Deliverable 5b: Human Systems Integration Step 1 Pilot- 

Technology Interface Requirements for Collision Avoidance in 
Unmanned Aircraft Systems 

Deliverable 5c: Human Systems Integration Step 1 Pilot- 

Technology Interface Requirements for Contingency Management 
System in Unmanned Aircraft Systems 

Deliverable 5d: Human Systems Integration Step 1 Pilot- 

Technology Interface Requirements for the Weather System in 
Unmanned Aircraft Systems 

Deliverable 6: Human Systems Integration Support to Simulation and Flight Test 
for Step 1 
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Figure 1 . FY05 HSI Process and Deliverable Overview 


2 . Document Purpose 

The purpose of this document is to define HSI technology interface requirements 
for Contingency Management. 
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Research of human capabilities and limitations known for Contingency 
Management was performed through a review of HSI requirements documents, 
standards, and recommended practices. 

Technology concepts in use by the Contingency Management WP were 
assessed. 

Beginning with the HSI high-level functional requirement for Contingency 
Management, and Contingency Management technology elements, HSI 
requirements for the interface to the pilot were identified. Results of the analysis 
describe (1) the information required by the pilot to have knowledge of 
Contingency Management, and (2) the control capability needed by the pilot to 
obtain Contingency Management information. Fundamentally, these 
requirements provide the candidate Contingency Management technology 
concepts with the necessary human-related elements to make them compatible 
with human capabilities and limitations. The results of the analysis describe how 
Contingency Management operations and functions should interface with the 
pilot to provide the necessary Contingency Management functionality to the UA- 
pilot system. 

Requirements and guidelines for Contingency Management are partitioned into 
four categories: (1) Health and Status and (2) Contingency Management. 

Each requirement is stated and is supported with a rationale and associated 
reference(s). 
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3. Scope 


3.1. Ground Rules 

3.1.1. Requirements are based on Access 5 Program 
Contingency Management Work Package (WP) 
requirements and concepts as well as HSI standards and 
recommended practices. 

3.1.2. Requirements defined are for the Access 5 
program, Step 1 , which limits scope to Contingency 
Management only for flight above FL430. 

3.1.3. HSI Requirement Verification for dynamic 
operations (e.g., pilot assessment and diversion in 
response to engine malfunction) requires verification in a 
dynamic environment (i.e. , simulation or flight test). HSI 
Requirement Verification for static operations (e.g., 
procedure for engine malfunction) does not require 
verification in a dynamic environment, e.g., to be verified by 
analysis. 

3.1.4. Requirements defined are independent of any 
design solution except those specified by the Contingency 
Management WP. 

3.1.5. No distinction is made between Contingency 
Management requirements for line-of-sight (LOS) and 
beyond-line-of-sight (BLOS) HSI requirements 

3.2. Assumptions 

3.2.1 . The pilot has all necessary control and display 

capabilities in the ACS to satisfy HSI requirements for 
performing contingency management. 


4. Method 

Research and documentation of human capabilities and 
limitations known for Contingency Management was performed 
through a review of HSI requirements documents, standards, 
and recommended practices. Sources examined include 
Aeronautical Information Manual; FAA regulatory and advisory 
material; FAA Human Factors Design Guide; other key research 
papers. 
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The technology concepts in use by the Contingency 
Management WP were assessed. Program documents were 
also used as reference material. 1 

For these Contingency Management technology elements, HSI 
requirements for the interface to the pilot (in the form of pilot 
information and control requirements) were identified. 
Fundamentally, these requirements provide the candidate 
technology concepts with the necessary human-related 
elements to make them compatible with human capabilities and 
limitations. 

5. Technology Interface Requirements 

The HSI FRD describes the highest level functional requirement 
for Contingency Management as follows: “The Human System 
Interface shall enable the pilot to manage contingencies.” 2 In 
addition, a second high-level HSI functional requirement is 
applicable to this topic, “The Human System Interface shall 
convey information to the pilot to determine the health and 
status of the UAS.” 3 Technology interface requirements in this 
document fall under these requirements. 

Technology interface requirements are a necessary element of 
the HSI functional decomposition analysis of Contingency 
Management Functional and Performance requirements. The 
results of the analysis describe how Contingency Management 
operations and functions should interface with the pilot to 
provide the necessary Contingency Management functionality to 
the UA-pilot system. 

They represent high-level, requirements for (1) pilot control of a 
Contingency Management and (2) information required by the 
pilot to understand the workings of the Contingency 
Management. 

Requirements and guidelines are partitioned into two 
categories: (1) Health and Status and (2) Contingency 
Management. 


1 Contingency Management Requirements Document, Revision D. March 2005. 

Step 1 : Functional Requirements Document, Preliminary Draft. May 2005 

2 Step 1: Human System Integration (HSI) Functional Requirements Document (FRD), Version 
1.1, para. 2.4.4. July 2005. 

3 Step 1: Human System Integration (HSI) Functional Requirements Document (FRD), Version 
1.1, para. 2.1.3. July 2005. 


The following document was prepared by a collaborative team through the noted work package. This 
was a funded effort under the Access 5 Project. 




Each requirement is stated and is supported with a rationale 
and associated reference(s). 
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5.1. 


Health and Status 


5.1.1. ACS Display of Health and Status Data 
(Display Requirement). The ACS shall display health and 
status data for en route Contingency Management 
purposes. 

5.1 .1 .1 . Rationale. Health and status data shall make 
failures apparent and unambiguous to the pilot at the 
so the pilot obtains situation awareness of the vehicle 
state and in preparation to affect contingency 
management steps. In situations where automation 
failure would require user intervention, it is useful for 
the pilot to be warned that he or she will need to take 
manual control before the automated system fails. 
Information presented to the pilot should accurately 
reflect system and environment status in a manner so 
that the pilot rapidly recognizes, easily understands, 
and easily projects system outcomes. 4 5 

5.1.2. Pilot Control of Health and Status Data 
(Control Requirement). The pilot shall have control 
capability to obtain access to health and status data. 

5. 1.2.1. Rationale. The pilot requires the capability to 
affect control of systems to obtain health and system 
status. Control capability includes access to systems 
and, if employed, a caution and warning and/or 
diagnostic system, that collects, integrates, and 
summarizes health and status information. 4 5 6 

5.1.3. ACS Alerting of Health and Status (Display 
Requirement). The ACS shall display health and status 
data alerts to the pilot. 

5.1 .3.1 . Rationale. As the pilot will be involved in many 
ACS operations, it is not expected that the pilot will 
monitor the health and system status at all times. 
Humans are poor monitors over extended period of 


4 Human Factors Design Guide Update, Report Number DOT/FAA/CT-96/01 . Federal Aviation 
Administration. 2002. para 3.8.2, 3.8.3, 3.8.4, 3.8.12, 3.12.4. 

5 Human Factor Considerations in the Design of Multifunction Display Systems for Civil Aircraft, 
Aerospace Recommended Practice (ARP) 5364. Society of Automotive Engineers, March, 2003 
para. 3.11.1, 3.11.2, 4.4. 

6 Human Factor Considerations in the Design of Multifunction Display Systems for Civil Aircraft, 

Aerospace Recommended Practice (ARP) 5364. Society of Automotive Engineers, March, 2003 
para. 5.1 . 
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time. As a result, augmentation of pilot monitoring skill 
is required in the form of a master visual alert and/or 
aural alert to warn the pilot of a malfunction. 7 8 

5.2. Contingency Management 

5.2.1 . ACS Display of Contingency Management 
Information (Display Requirement). The ACS shall display 
contingency management data to the pilot. 

5.2. 1.1. Rationale. The UAS shall provide the pilot with 
the ability to handle contingencies, emergencies and 
other abnormal conditions with the equivalent level of 
safety of manned aircraft. For critical software, 
systems, or equipment, there shall be a clear, step-by- 
step description of procedures to be conducted in the 
event of failure 9 . The pilot should be provided with 
sufficient information to diagnose warning system 
operation or contingency management functions. 10 

5.2.2. Pilot Control of Contingency Management 
Information (Control Requirement). The pilot shall have 
control capability to obtain access to contingency 
management functions. 

5.2.2. 1 . Rationale. The pilot should be provided with 
sufficient controls to control warning system operation 
or contingency management functions. 11 12 

5.2.3. Redundant Control Capability (Control 
Requirement). The pilot shall have redundant means to 
access systems and equipment that provide a critical 
function. 


7 Human Factors Design Guide Update, Report Number DOT/FAA/CT-96/01 . Federal Aviation 
Administration. 2002. para. 7. 1.1.1. 

8 Human Factor Considerations in the Design of Multifunction Display Systems for Civil Aircraft, 
Aerospace Recommended Practice (ARP) 5364. Society of Automotive Engineers, March, 2003 
para. 5.5. 

9 Human Factors Design Guide Update, Report Number DOT/FAA/CT-96/01 . Federal Aviation 
Administration. 2002, para. 2.5.7. 

10 Human Factors Design Guide Update, Report Number DOT/FAA/CT-96/01. Federal Aviation 
Administration. 2002. para 3.8.15. 

11 Human Factor Considerations in the Design of Multifunction Display Systems for Civil Aircraft, 
Aerospace Recommended Practice (ARP) 5364. Society of Automotive Engineers, March, 2003 
para. 5.9. 

12 Human Factors Design Guide Update, Report Number DOT/FAA/CT-96/01. Federal Aviation 

Administration. 2002. para 3.8.15. 
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5. 2. 3.1. Rationale. If a single type of pilot interface is 

provided for a critical system function, the system has 
the potential for a single point failure to compromise 
safety of flight. If UAS safety analyses determine that 
the TBD probability of such a single point failure can 
lead to an unacceptable reliability level, a redundant 
method of pilot interface should be provided to satisfy 
the required level of redundancy and reliability. 

6 . Future Work 

6.1. Step 1 Lower Level Information and Control Requirements. 

The requirements described in this document represent a high 
level definition for pilot information and control capability. 

Future work is required to continue this analysis to the level 
appropriate to the needs of the program and its customers, 
(e.g., the FAA). Lower level information and control 
requirements will provide the FAA and manufacturers with an 
appropriate level of guidance without restricting the flexibility of 
design. The level of detail required is exemplified in FAR 
23.777, “Means must be provided to indicate to the flight crew 
the tank or function selected.” For Access 5 purposes, an 
analogous information requirement would read, “(For the top- 
level, Aviate functional requirement) A means must be 
provided at the ACS to indicate to the pilot the tank or function 
selected.” Once this level of detail is developed for each top- 
level functional requirement, the information and control 
requirements definition effort for Step 1 will be complete. 

6.2. Step 2, 3, and 4 Information and Control Requirements. 

After work for Step 1 has been completed, information and 
control requirements analyses are necessary for the 
succeeding Steps. The analysis will follow the functional 
requirements developed for these Steps and will focus on 
phases from takeoff to cruise and from cruise to landing. The 
analysis for altitudes between approximately FL180 and 
FL430 will require only minor additions to Step 1 results. 
Significantly new information will be produced from this 
analysis for the critical takeoff, climb, approach, and landing 
phases. 
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